To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

The flaw in question is a stack buffer overflow vulnerability in Microsoft’s Equation Editor.

It was reported that this flaw was exploited since 2018 through an updated RTF weaponizer.

Security researchers from Anomali came across an improved version of a Rich Text Format (RTF) weaponizer used by multiple Chinese threat actors. As part of their analysis of this weaponized script, it was found that the updated version was used solely to exploit CVE-2018-0798 - a stack buffer overflow flaw in Microsoft’s Equation Editor.

The earlier version of this “Royal Road” weaponizer was used to exploit two remote code execution vulnerabilities(CVE-2017-11882, CVE-2018-0802) in the same Equation Editor. Anomali researchers suggest that the groups now relied on CVE-2018-0798 due to its ‘reliability’ in all versions of Equation Editor.

The big picture

Malware samples analyzed by the researchers were attributed to five Chinese threat actor groups. They are Conimes, KeyBoy, Emissary Panda, Rancor, and Temp.Trident.

The campaigns using the improved RTF weaponizer were discovered from June 25, 2019, onwards.

The earlier version of the weaponizer was used for approximately one year, starting from December 2017. After this period, it was reportedly used by other threat actors indicating that the creator of this weaponizer was selling it to others.

Anomali researchers also came across various exploitation techniques that leveraged CVE-2018-0798 to drop malicious payloads.

Some of these techniques included OLE package objects, DLL Sideloading and dropping malicious ‘.wll’ files in Windows startup folders.

Worth noting

The researchers indicate the reason on why threat actors opted for CVE-2018-0798 exploitation. “CVE-2017-11882 is only exploitable on an unpatched version prior to its fix, and CVE-2018-0802 is only exploitable on the version released to fix CVE-2017-11882. In contrast, a threat actor utilizing CVE-2018-0798 has a higher chance of success because it is not limited by version,” they said.

Ryan Stewart

Ryan is a senior cybersecurity and privacy analyst. He keenly follows the innovation and development in cybersecurity technologies, and loves to educate everyone about the what, why, and how of major incidents in the cybersecurity world.

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.